Mac OS X Compromised in Under 30 Minutes.

[spyder]

Hacker Gains Root Access to Mac OS X in 30 Minutes

Walaika K. Haskins, newsfactor.com

It took a hacker less than 30 minutes to gain root-level access to Mac OS X, according to a report from ZDNet.

The hacker who penetrated the system called the Mac "easy pickings."

The security breach took place on February 22 after a Swedish devotee of the Mac set up a Mac Mini as a server and invited all takers to try to compromise the system's security to gain root-level control. Once a hacker has gained root access to a computer system, the attacker can install applications, delete files and folders, and use the computer for any nefarious purpose.
The competition was over in a matter of hours after a hacker, who asked to be identified only as "Gwerdna," gained access to the server in question and defaced the Web site with a message that read, "This sucks. Six hours later this poor little Mac was owned and this page got defaced."

Gwerdna told ZDNet that it took him a mere 30 minutes or less to gain root control of the Mac. "It probably took about 20 or 30 minutes to get root on the box," Gwerdna said. "Initially, I tried looking around the box for certain misconfigurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for the Mac OS X."

Taking Aim at Macs

Although Gwerdna said that the Mac Mini could have been protected more effectively, he also said that, even had the machine been configured for better security, it would not have stopped him because the vulnerability he exploited has yet to be published and Apple has not released a patch for it.

The winner of the hacking contest went on to say that there is a limitation on what hackers can do with unknown and unpublished vulnerabilities because there are countermeasures that systems administrators can employ to tighten security -- even for unpublished software flaws.

Although Gwerdna said that Mac OS X contains unpatched vulnerabilities that would permit a hacker to infiltrate Apple's operating system, he said that the relatively small number of Macs in use -- in contrast to the vast number of PCs running Windows -- is the reason more hackers do not try to exploit them.

"Mac OS X is easy pickings for bug finders," he told ZDNet. "That said, it doesn't have the market share to really interest most serious bug finders."

Flawed Apples

News of this contest comes on the heels of Macs being hit by two viruses and a critical security flaw. Security experts called the Leap and Inqtana viruses relatively harmless because of their limited scope, but rated the security flaw in Apple's Safari Web browser as critical.

Discovered by Michael Lehn, a graduate student and research assistant at the University of Ulm in southern Germany, the Safari vulnerability could have allowed attackers to disable a Mac computer after tricking the user into accessing a phony Internet site that contained malicious code.

Up until the point that Apple patched the flaw, the Safari browser's default configuration was set to open and run compressed files automatically. Attackers could exploit the flaw when Mac users downloaded files in which malicious software had been disguised to appear as safe.

Apple issued a security update last Wednesday to fix 20 Mac OS X vulnerabilities, including the Web-browser problem and a similar flaw in Apple's Mail client. The update also patched iChat, Apple's instant-messaging application, which now relies on an Apple technology called "download validation" to warn users of unknown or unsafe file types during transfers.

Lessons Learned

"The lesson here is that if we look at Mac OS X and compare it to, say,
Windows XP, we find that, in terms of the number of vulnerabilities, they are actually quite comparable," said Vincent Weafer, senior director at Symantec Security Response.

What might surprise many is that both Apple's Mac OS X and Microsoft's Windows have roughly the same type of vulnerabilities in a similar volume, said Weafer.

But he did say that direct comparisons are not possible because both companies report vulnerabilities and security updates differently -- and Apple ships more applications with Mac OS X than Microsoft does with Windows.

Weafer also said that hackers are not capitalizing on vulnerabilities in Mac OS X to the same degree they are trying to exploit flaws in Windows. Weafer estimated that there are between 100,000 to 200,000 Windows viruses compared to 200 or so Mac viruses.

According to Weafer, the number of Mac vulnerabilities discovered and the possibility they will be exploited will gradually rise as a direct result of an increased interest in Mac OS X. Weafer urged Mac users to make sure they have installed antiviurs and antispyware applications and are updating them regularly.

[Charles]

This has already been well debunked. The article fails to mention that the cracker was given a local account and password. The Mac was cracked from within, not from the outside. This is not a hack, this is a "privilege escalation." There is still no way to compromise a MacOS X system from the outside.

[emperor]

...There is still no way to compromise a MacOS X system from the outside.

As safe as I feel with my Macs, thats sound a tad too absolute and presumptious to me.

[Charles]

As safe as I feel with my Macs, thats sound a tad too absolute and presumptious to me.

I watch security lists pretty closely, and so far, I've seen only one confirmed MacOS X system hacked, the guy opened telnet and used a 3 character password. That is basically asking for someone to crack your machine.
The other day I noticed someone trying to hack into the OS X machine I use as a web server. I decided to tail the system logs and watch him try to break in. He was pretty good, he ran about every hack I've ever heard of, he even tried a dictionary attack but it didn't do any good.

Anyway, it is turning out that the hack story is a hoax. And what else would you expect from a story originating at ZDNet Australia? The hacker who broke in was contacted, he was challenged to break in to the University of Wisconsin Mac security challenge, he refused and said he didn't want to "waste a good hack." The administrator of the system who was supposedly hacked was contacted and asked to provide the system logs from the time of the hack, so independent authorities could validate that a hack even took place. He refused.

So there is not one shred of evidence that the story of the hacked mac is true. The hacker "Gwerdna" won't show proof he can hack a mac, and the system operator that was allegedly hacked won't show proof he was hacked. There is no story here.

[spyder]

The reason Macs are so "safe" is because there is no "market" to target them. This has been discussed on another IT forum I visit. The number of Macs in use in the world is literally nothing compared to the PCs running Windows.

People don't have reasons to hack Macs. IF Mac's become a popular base for major servers, then I am sure you will see ALOT more hacks. There are lots of people out there with the tools and ability, but there is no reward, (yet), at the end of it for them.

[Charles]

The reason Macs are so "safe" is because there is no "market" to target them. This has been discussed on another IT forum I visit. The number of Macs in use in the world is literally nothing compared to the PCs running Windows.

People don't have reasons to hack Macs. IF Mac's become a popular base for major servers, then I am sure you will see ALOT more hacks. There are lots of people out there with the tools and ability, but there is no reward, (yet), at the end of it for them.

Bullshit. This has been the topic of continual discussion in Mac circles, and it's just bullshit. You are basically espousing "security through obscurity" which any knowledgeable security person will tell you is bullshit. There are plenty of hacks and viruses for OSes with far smaller installed base than Mac. The size of the installed base is irrelevant.

MacOS X is a top priority hacker's target because it has never been done and it can't be done. There are major bragging rights for the first hacker to release a successful Mac virus.

[Currawong]

A couple of useful notes:

The "dictionary" attacks anyone may see on their macs target all servers around the world constantly. A bit of googling reveals this. Already compromised machines are injected with a script that attacks other machines. The hacked machines are used by malicious people in large scale attacks on networks.

MacOS X is a top priority hacker's target because it has never been done and it can't be done.

That's a very misleading and basically untrue statement. It has been done - I've known of a server running OSX that was hacked and used for sending spam. If you install a known insecure version of some web portals and web stats programs, the generic attacks and sql injection attacks will result in a successful intrusion. A number of sufficiently knowledgable people have suggested to me that OSX Sever is not secure enough to left exposed to the net without a firewall. I know that in itself requires some clarification to be understood properly though.

This is all aside from obvious stupidity such as short/no passwords etc.

[Charles]

That's a very misleading and basically untrue statement. It has been done - I've known of a server running OSX that was hacked and used for sending spam. If you install a known insecure version of some web portals and web stats programs, the generic attacks and sql injection attacks will result in a successful intrusion. A number of sufficiently knowledgable people have suggested to me that OSX Sever is not secure enough to left exposed to the net without a firewall. I know that in itself requires some clarification to be understood properly though.

Funny you should mention that. I watched that hacker attack my server, I run MySQL and he tried all the classic attacks. They didn't work.

And still nobody's broken MacOS X. You might be able to rig a misconfigured webserver to reflect spam (easily done by taking advantage of bad .cgi scripts) but you won't get into the system from the outside. If you are getting advice that OS X Server is so insecure that it requires a firewall, I can only assume you are dealing with Windows-only FUD-spewers. And it's only going to get worse. This sort of rubbish is the first wave of the Windows Full Employment Security movement. If so-called Certified Windows Experts don't keep people from switching to Mac instead of buying Vista, they'll be out of a job. So the FUD is going to get thrown a lot harder as Vista approaches, and everyone discovers that it has nothing new to offer and no security advantages. You know there's already viruses for the Vista beta, and it's still only in beta, right? But you don't hear that from sources like ZDNet (majority owner: Paul Allen, a founder of Microsoft). Gosh, I wonder why a Microsoft-owned news source is spewing lies about MacOS X?

[Adhesive]

So there is not one shred of evidence that the story of the hacked mac is true. The hacker "Gwerdna" won't show proof he can hack a mac, and the system operator that was allegedly hacked won't show proof he was hacked. There is no story here.

I have no idea if mac x is hackable or not, and I don't really even care. But, just to play devil's advocate, isn't there a chance that the hacker didn't want to give away the unpublished exploit?

[Charles]

I have no idea if mac x is hackable or not, and I don't really even care. But, just to play devil's advocate, isn't there a chance that the hacker didn't want to give away the unpublished exploit?

Just to play Occam's Razor, which do you think is more likely:

1. Hacker has secret exploit.
2. Hacker is boasting and has no secret exploit.

In either case, it doesn't matter because it's claimed to be a privilege escalation hack that requires you to already be logged in with a valid account on the Mac. It is not a way to crack the box from the outside.

[Adhesive]

Just to play Occam's Razor, which do you think is more likely:

1. Hacker has secret exploit.
2. Hacker is boasting and has no secret exploit.

I don't think Ockham's Razor is exactly about probability or likelihood, it's more to do with choosing the theory that requires the least amount of assumptions. And in this case I don't think that you arguing the two individuals paired-up and created a hoax to gain popularity, or tarnish the OS X image, is any less assumptive than me wondering if their claims are true and they simply don't want to give away their secrets.

In either case, it doesn't matter because it's claimed to be a privilege escalation hack that requires you to already be logged in with a valid account on the Mac. It is not a way to crack the box from the outside.

I'm not very familar with computers, does that mean that the would-be hacker must already have the user's login/pass or that the user has to alreay be logged into the OS?

[cenic]

here is a picture of the datacenter I work at:



this is just one room and one row. A bunch of xserves, a few g4s, and a handful of powerpcs (and the rogue pc I have on that row running freebsd in the bottom right corner ) I know it proves nothing, but I figured it would be a good chance to show off

on a side note: we take joy in backing up the movies from our exploited windows boxes for our enjoyment.

[electrocat]

Hacker Gains Root Access to Mac OS X in 30 Minutes


What might surprise many is that both Apple's Mac OS X and Microsoft's Windows have roughly the same type of vulnerabilities in a similar volume, said Weafer.

you like that quote from a company that sells antivirus software company. Thats bullshit. I haven't used anti virus software on my mac since like 1998.. and im almost sure i didn't need it before. I have never gotten a virus, worm, trojan horse.

[spyder]

Sorry. Immature I know, but I couldn't resist

[mr. sparkle]

Dude,
Your iMac SHREDS!

[PrivateGaijin]

Funny you should mention that. I watched that hacker attack my server, I run MySQL and he tried all the classic attacks. They didn't work.

So because a piss-ass script kiddy could not break into 1 out of hundreds of thousands of Mac boxen on the internet, you assumed that Mac OSX cannot be broken? Mac OS is secure because in 1 instance that you know of, it proved to be secure from an attacker. Do you know what this is called? Anecdotal Evidence. Look it up.

[B Gallagher]

Innocent until proven guilty, right?

[PrivateGaijin]

Innocent until proven guilty, right?

That is certainly the case, but I was questioning the premise under which the GP was saying he had concluded Mac OS to be secure. It may well be secure, but saying it's secure because in a random 1 case sample it has proven to be secure is misleading. Anyone with any decent experience in the industry knows that to make such categorical claims is a recipe for disaster. This is more marketing speak than techno-speak. Mac OS may be the most secure OS in the world (I hope BSD guys are not reading this), but that claim should be made with the right justifications, not anecdotal evidence.